Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
3
Replies

Cisco ASA Anyconnect and MS CA server

BVC
Level 1
Level 1

‎10-07-2021 07:54 AM

I understand this might not be directly related to Cisco but I'm having a hard time finding info and trying to get it work.

Pretty much I'm trying to move away from using the inbuilt CA on the ASA for authenticating users with certs. I've managed to get the firewall to use SCEP and OCSP so it can autoenroll users when they first login and OCSP to check if their cert has been revoked. My main problem now is that a new cert is enrolled every time the user logs into a new device, so each user has a new cert on every device the login with. I want to restrict this so a single cert is only issued out to a single device for each user (so if they login with a new device autoenroll won't work and they can't get a cert) and when that cert is revoked (e.g. user got a new laptop) they can login with Anyconncet and they will autoenroll with a new cert.

I'm finding it hard trying to find anything on the MS CA that can do this, so what I'm asking is if the ASA can play any part of doing this, or is there a function on the MS CA that I'm missing that can do this.

Really appreciate any response as I'm stuck.

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎10-07-2021 08:02 AM

Hi @BVC 

Create another tunnel-group/connection that doesn't use SCEP enrollment. So for the first connection the user connects to a cert enroll connection profile/tunnel-group, receives a certificate and a new XML profile. From then on they connect to the 2nd connection profile/tunnel-group and uses the certificate to authenticate.

0 Helpful

BVC
Level 1
Level 1
In response to Rob Ingram

‎10-07-2021 08:35 AM

Hi Rob,

Thank you for the reply. I think I understand what you mean, but will that help with my problem? As users could just get onto another device, choose the tunnel group that enrolls them with the cert and get the cert that way. Then they just login with the other tunnel group with the cert that has been distributed to other devices the user has logged in with. 

0 Helpful

Rob Ingram
VIP
VIP
In response to BVC

‎10-07-2021 08:40 AM - edited ‎10-07-2021 08:48 AM

@BVC when connected to the certenroll connection profile, apply an interface ACL or VPN Filter or DACL to restrict access only to the CA to allow them to enroll for a certificate. They must connect to the other connection profile that gives them full access, obviously this will require some user instructions/training.

 

Ideally if possible you'd pre-deploy the certificates, if you have AD you can use a GPO to do this when they are connected to the network. You'd not need a cert enroll connection profile then.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents